3/03/2010 @ 6:00PM

Banks Get Double Dose Of 'Black Energy'

Standard operating procedure for the identity theft industry involves performing high-volume fraudulent transactions as quickly and quietly as possible. But now researchers have found evidence of a new hacking group that takes a different approach–one that’s less discreet and more destructive.

On Wednesday cybersecurity researchers at Secureworks issued a report describing a new cybercriminal group that aims a one-two punch at banks. First it collects banking customers’ passwords using a variation of the so-called Black Energy software, which has infected thousands of computers worldwide to create a “botnet” of hijacked machines. The machines use the collected passwords to move funds into the hackers’ accounts, and then typically delete files from the user’s computer to cover their tracks.

But what follows that fraud is an unlikely step: a cyberattack known as a “distributed denial-of-service,” using a flood of data requests from the infected computers to take down the company’s online banking service. “The same botnet that’s being used to steal money from banks is launching these denial-of-service attacks on them,” says Secureworks researcher Joe Stewart. “It’s all very unusual.”

Until sometime last year, Stewart says, Black Energy software was used only to perform distributed denial-of-service attacks with no financial fraud element. The botnet’s targets were generally pornographic and gambling sites and their network hosts, all of which typically suffer attacks from competitors or extortionists.

But in November Stewart found a new strain of Black Energy that had been rewritten to allow it to function as a hidden password-stealing Trojan as well as a spam-sending application. “It been transformed into an all-around modular tool for cybercrime,” says Stewart.

He traced the botnet’s activities to at least a dozen targets, all of which were Russian or Ukrainian banks. This is another anomaly given Eastern European hackers’ preference to target Western banks. “It’s been a silent rule in Eastern Europe that you don’t steal from your own people,” says Stewart.

Secureworks says this Black Energy botnet infects between 5,000 and 20,000 PCs, likely far smaller than either the botnet based on the Zeus Trojan software found by Herndon, Va.-based cybersecurity Netwitness last month or the Mariposa botnet, the owners of which were indicted Tuesday.

But by combining stealthy fraud with overt denial-of-service attacks, this smaller botnet presents an unusual puzzle. Stewart speculates that the post-fraud attack may be designed to prevent a bank from detecting and reversing the criminal transactions during a window of time that he speculates may be specific to Russian and Ukrainian banks, given the botnet’s preferences for those geographies. “It has to be related to being able to keep the money somehow,” says Stewart. “It must keep their fraud department busy or distract them from the crime long enough to prevent them from recovering the stolen money.”

But Roel Schouwenberg, a researcher with Moscow-based cybersecurity firm Kaspersky, says he’s not aware of any element of Russian banks that would make their antifraud systems vulnerable to this sort of attack. And by launching an attack on the bank’s Web site from the same infected computers used to perform the fraud, he says, the botnet is likely just tipping off the bank to exactly which computers are performing the fraud. “It’s possible that they were trying to do something clever, and it’s simply not that clever,” says Schouwenberg. “Maybe they’ve watched Ocean’s Eleven too many times.”

Secureworks’ Stewart postulates that the gang behind the Black Energy variant may still be attacking banks for political or extortion purposes, and merely adding fraud into its attempt to damage the companies. But he notes that there’s no clear answer to the botnet operators’ reasoning or whether their target list will expand. “We can speculate,” says Stewart. “But for now, we can’t know.”